CIGI’s essay series on data governance in the digital age has shone a spotlight on the need for a national data strategy. My contribution notes that central to any data strategy will be some measure of data control. Given the implications for privacy, security and innovation policies, this includes some control over where data is stored and the conditions under which it is transferred across borders. Yet, despite the mounting data concerns, Canada may have already signed away much of its policy flexibility with respect to rules on both data localization and data transfers, severely restricting its ability to implement policy measures in the national interest.
The Trans-Pacific Partnership – now renamed the Comprehensive and Progressive Agreement for Trans-Pacific Partnership (CPTPP) – features restrictions on the ability to mandate data localization and impose limits on data transfers. Canada signed the CPTPP on March 8, 2018, and is expected to begin steps toward implementation later this year. The CPTPP model is rapidly emerging as the standard approach in “modernized” trade deals featuring e-commerce or digital trade rules, as it can be found in agreements large (the renegotiated NAFTA) and small (the recently concluded Singapore-Sri Lanka Free Trade Agreement). Given the proliferation of the provisions, the linkage between data sovereignty and trade agreements seems likely to grow tighter in the years ahead.
The inclusion of data provisions within these trade agreements raises two key concerns. First, trade agreements invariably involve trade-offs on a wide range of issues from tariffs on agricultural goods to environmental policy. The inclusion of data governance as a trade-related issue complicates the policy process since it treats a critical yet complex policy matter as little more than a trade bargaining chip.
Second, it highlights a difficult policy challenge that sits at the heart of controlling data in a networked economy. While there may be benefits for privacy, security and innovation policies from greater control over data, the issue is complicated by the competing policy goal of support for open networks and the free flow of data, which may fuel innovation and hold the potential to promote pro-democracy norms. Striking an appropriate balance that promotes an open internet and safeguards the privacy, security and innovation issues associated with data should be a top priority for trade negotiators, yet the headlong rush to conclude e-commerce or digital trade chapters in modern trade agreements suggests that the policy flexibility has narrowed considerably, with countries bound by policy limitations that they have barely begun to understand.
Rules, Legislation, Regulations and Treaties are great things. So are industry Standards and Professional Body Codes of Ethics. The more Privacy Rules exist, consistently, the harder it would be to remove them my changing legislation at a single level. We saw the Bennett II regime remove most BC Human Rights legislation at one go as too inconvenient for business.
That said, Education and Enforcement are also important.
AggregateIQ was subject to a number of Provincial, Federal, and UK regulations, since it was working for UK entities. It is pretty hard to review compliance with those regulations now that AIQ has vacated their Victoria BC office, with company records, computers, and backups gone to who knows where, if they have not been overwritten or mechanically shredded by a metal recycling machine.
A while back I attended a 60th birthday commiseration party where a BC based sole proprietor told the sad tale of his i-phone being lifted from his shorts pocket on a crowded transit train during a cruise that touched in Europe.
His first thought was that he had lost most of his business information, including the contact details and sales records for his customers.
Eventually someone he told his story to suggested buying another i-phone and restoring from the i-cloud. Problem solved by restoring from a backup, probably in the USA and subject to the PATRIOT act?
I just sat there, thinking about the implications under BC PIPA, Federal PIPEDA, and European statutes about personal data. Where to start, so I didn’t.